In computer programming, a “claim” includes a declaration made by an entity (often referred to as an issuer). The claim is often packaged in a security token in such a way that the declaration can be truly attributed as being made by the issuer with high confidence. The security tokens have protections against being tampered with. Accordingly, a relying party that receives the security token can access the claim, evaluate the issuer, and ascribe an appropriate amount of trust to the declaration made by the issuer. Often, the issuer is highly trusted, and thus the declaration is taken by the relying party to be true. The relying party may then perform appropriate processing taking as a given that the declaration is true.
Authentication is conventionally externalized using claims and security tokens. When a client tries to access the services of a relying party, if externalized authentication is performed, the client is referred to a security token service. In the case of a browser client, this is usually through an HyperText Transport Protocol (HTTP) redirect. The security token service authenticates the user, and formulates appropriate claims regarding the user. The security token service has pre-negotiated with the relying party regarding what declarations will be most useful. The claims are then packaged in a security token and returned to the client, whereupon the client is referred back to the relying party. The client then provides the security token to the relying party, whereupon the relying party evaluates the security token, accesses the claims, and perhaps takes the declarations therein to be true, and performs appropriate processing given the declarations made.
There may be multiple tiers of security token services. For instance, the first-tier security token service mentioned above may refer the client to yet a second-tier security token service and expect a second-tier security token in return from the second-tier security token service. In that case, the first-tier security token service with be a relying party for the second-tier security token, and formulate the claims based on the claims made therein. The first-tier security token service would then formulate the first-tier security token and return that to the relying party that the user originally requested the service from.